'Zero trust' requires IT and the mission side to collaborate

By Derek B. Johnson

May 21, 2020

Information sharing and cybersecurity controls are pillars of good governance and areas of emphasis for the federal government. The move to the zero-trust model potentially puts guardrails around sharing and requires cooperation between techies and the mission side to work, according to a top federal technology official.

For much of the past 20 years, the federal government has segmented its systems and networks, but, said Federal Chief Information Security Officer Grant Schneider, "you presumed once someone had access control … that they were entitled to see almost anything in there."

"That's great for information sharing, it's a challenge from a security standpoint because it's an opportunity for our adversaries," Schneider said at a May 18 event hosted by FCW. "When an outsider or an adversary get into your system, they really only look like an adversary for a short period time, because they pretty quickly are able to pivot to leverage real credentials in some way shape or form, and suddenly your outsider looks like an insider. So the fact that you built an environment where you're trusting all of your insiders is really not going to help you and not going to allow you the capabilities that you need."

The choice to give employees "pretty much free rein" if they had access privileges was part of a larger shift that has taken place in the federal government to facilitate greater information sharing following 9/11, Schneider said.

However, over that same timeframe, agencies have also suffered a string of embarrassing security compromises, both from state-backed hacking groups and insiders who abused access privileges to steal or leak data unrelated to their day-to-day responsibilities.

Lately, a "zero trust" model has been trending, in which agencies architect their systems and networks with controls that by default assume malicious intent from both insiders and outsiders.

That means agencies will have to re-evaluate who gets access to what information and under which conditions. Employees physically present in a federal facility might have different access and privileges than they would if they were logging in remotely. Agencies must also get better at tracking and quickly updating when an employee's role (and corresponding access) changes.

There's a long way to go before that paradigm takes hold, however.

"We're still riding a lot of networks and environments that your IT department or you don't know much about," Schneider said. "We don't know how they're run, we don't know who's on them, we don't know what they look like."

The technologies needed to put zero trust in place aren't particularly sophisticated or difficult to implement, Schneider said. What's trickier is ensuring agencies have clear rules for access. Those policies and decisions, he said, are "going to come from the mission side, from the business side who understand their data and their environment," he said.

Schneider drew on his time as CIO at the Defense Intelligence Agency to illustrate this point.

"I didn't know whether a Middle East analyst in Germany should or shouldn't be looking at a piece of data or information on China or North Korea or somewhere else. Because there may be a nexus and a connection and a thread that they're pulling on, and I don't want to be the one that's preventing them from connecting the dots," he said. The alternative is that CIOs and CISOs get involved in training the mission side on security.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.